Web-Filtering: Deal or No Deal?

Most Web-savvy kids know more about gaming sites, relationship sites, chat
rooms, illegal downloading and hacker sites than I'll ever know. I teach computer
science to 17- and 18-year-olds, so I see what they do. They're always surfing
the Web to avoid the real stuff I'm trying to teach them.

In a previous life as an enterprise network administrator, I had a vested interest
in keeping people away from Web sites they shouldn't be visiting. Web-filtering
software was in its infancy in the late 1990s, so it wasn't all that effective.

Surely, it must have gotten better by now, with clever new ways of restricting
access based upon policies, AD membership, IP addresses and other novel approaches
to segmenting, isolating and categorizing groups. Here, we've tested some of
the latest and greatest to check in on the state of the art.

WebsenseWeb Security Suite
Websense Web Security Suite is first up in our test. The download for this well-known
solution was massive. The installation was straightforward but intense. At one
point, it issued a stern warning: "Do not hit the Finish button."
Heed that installation warning. I jumped the gun and found that it really had
not finished. Click the Finish button only after it notifies you it's
done installing.

Once Websense was fully installed, the program required another 400MB or so
to download the URL filter database. The idea is that you not only filter for
specific keywords and patterns, but also for known bad URLs. You'll have to
have the URL database updated periodically so that Websense can watch for the
latest and greatest set of blocked URLs in place.

Websense gives you a nice, granular view of your filtered groups (called category
sets in Websense). Once the filter list was current, I did some cursory testing
and left for the day. I felt quite confident that none of my kids would be able
to hit any of the sites I had been trying to block.

The next day, I came in to find a bunch of irritated kids. They couldn't get
to MySpace or the WOW sites, run their Trillian IM client or even get out to
Yahoo mail-just what I was hoping for. I checked back in about an hour later,
certain that they'd still be grumpy. There they were, happily working and surfing
away.

The following morning we had a little "How we hacked Websense" session.
Come to find out, there have been quite a few well-known work-arounds for "Websense
censorware." The kids found a convenient tool that let them get back online
within 10 minutes of the morning bell.

[Click on image for larger view.]

Figure 1. Websense
has an intuitive interface and configuration dashboard through which you
can control what it will filter and permit.

A "proxy-avoidance" site called Toonel.org was responsible for helping
the kids break through. They simply downloaded the Toonel client component,
installed it on their computers and thumbed their noses at Websense. When I
notified Websense about the situation, they responded with this:

"Websense Client Policy Manager [CPM] and Websense Web Security Suite
- Lockdown Edition are capable of blocking applications like this. We've added
this particular program to our application database as proxy avoidance and our
application filtering will now pick this up and prevent the launch of the program.
Also, before we categorized the application, it could have been blocked if a
customer was using CPM or Websense Security Suite - Lockdown Edition to block
uncategorized applications. Using CPM or Websense Web Security Suite - Lockdown
Edition is part of a layered approach to security that provides protection at
the gateway, network and in this case at the endpoint. Alternatively, using
our reporting tools, the network administrator could see which machines had
gone to the proxy avoidance site and then remove the applications from those
users."

When I talked to Websense representatives, I was told that a lot of the hacks
Websense finds out about are discovered by kids. No surprise there. It seems
like it would make sense for Websense to proactively try to head off potential
threats.

For those machines that already had the Toonel client on board, the Websense
database update was ineffective. Each machine had to have the client individually
removed. Interestingly, Toonel did not work on the Vista machines. Toonel uses
the loopback adapter address and port 8080 as a proxy avoidance mechanism.

[Click on image for larger view.]

Figure 2.Websense
describes its groups of filtered Web sites as Category sets, and gives you
granular control within those sets.

The long and short of it is that I liked Websense for its ease of installation
and configuration, and its relatively intuitive administrative interface. There
were times when I wanted to specifically lock out one URL but had a hard time
determining the category set to which the URL belonged. Also, I modified the
block page that shows up when someone tries to hit a blocked Web site, but my
modifications never appeared.

Also, it appears that Websense is written primarily, if not entirely, in Java.
I'm not a huge Java fan, because I think it's too big of a CPU hog. Websense
would be better if it was written in .NET code and we could avoid the baggage
Java brings to Windows servers.

It was somewhat alarming for me to see how quickly someone on a mission could
get past the filter. This points to how proactive security admins have to be,
but also brings to the forefront to the immensity of the problem that Web-filtering
software tries to solve. Where there's a will, there's a way.

SurfControlWeb Filter
The SurfControl installation process follows a nicely built wizard. It easily
interfaces with Active Directory and gets right to work. The product uses SQL
Server for its database and can install the Express Edition if you don't have
a copy of SQL running locally.

I ran into problems when I tried to install SurfControl on one box and then
point it to SQL Server 2005 running on a different computer. I tried it twice,
and in both cases SurfControl got through configuration but then the services
refused to start. I've never been a fan of using across-the-net SQL installations
anyway, so I bagged the dual-machine installation and went to the computer actually
running SQL Server. That installation went fine.

On another machine, I took up SurfControl's offer of installing Express Edition.
I expected the software to be residing locally, waiting for installation, but
it was natively bundled into the SurfControl installation package.

The filtering database is set to automatically download. This is sweet, fast
.NET code that runs swift and well. The progress bar displays behind the SurfControl
configuration window, so while you're downloading the filter database you can't
really tell what the program is doing. That's just a minor annoyance, though.

SurfControl is easy to install, configure and run. However, I ran into an issue
I couldn't easily overcome in my test configurations. While there is a stand-alone
Windows version of SurfControl, it needs a downstream enterprise-class firewall
to proactively block users. But what if you are just doing a little workgroup
blocking and you don't have any local firewalls? What if you are relying on
the corporate firewalls to keep you safe?

[Click on image for larger view.]

Figure 3.SurfControl
Web filter works with Active Directory, and installs through an easy-to-use
wizard.

SurfControl's support staff told me I had to have all of my nodes on a hub,
or attached to a switch that was capable of promiscuously loading the ports.
Even though my classroom users are behind a workgroup-class "firewall"
(the $69 kind that also does DHCP and some poor-man's URL blocking), I could
not get SurfControl to work correctly.

Complex
Cure for a Complex World

For those of
you who don't believe in getting a thorough education in Web-filtering
software, instead choosing to just plunge forward hoping that
the wizard will walk you through to harmonious completion,
you would be well advised to do your homework first. This
class of software has gone through a series of improvements
and now rivals the cockpit of the space shuttle in terms of
complexity and capability. The current raft of software slices,
dices, makes Julienne fries and cleans the kitchen afterward.

By that I mean that some Web-filtering security packages
include protection against the so-called zero-day threat.
Zero-day is that period of time when a threat has been introduced,
but the security software folks aren't aware of it and thus
haven't prepared any eradication, containment, curtailment
or quarantine methodology.

The idea is that there is detection code built into the product
that helps it determine there is unusual activity going on,
presume that it's malicious and take steps to do something
about it. In addition to zero-day monitoring, Websense Client
Policy Manager (CPM) helps with other security issues like
spyware, peer-to-peer threats, virus outbreaks and IM hacks.
The other filtering companies reviewed here also have similar
capabilities. --B.H.

In a previous job as a server admin, we ran SurfControl and liked it a lot.
It worked well and kept folks out of trouble. I've always been a big fan of
the product.

On the other hand, using Surf Control is a moderately expensive proposition
-- especially when you consider that you'll also need an ISA box to actually
do any Web-filtering. Additionally, I found that the customer support experience
could have been better.

[Click on image for larger view.]

Figure 4.SurfControl
lets you select the rules by which it will evaluate and filter suspect Web
sites.

Overall, I'm impressed with the way the code installs and runs -- now if it
would just block a user or two in stand-alone mode.

Secure Computing SmartFilter
SmartFilter has myriad installation possibilities. Want to run it against a
Cisco Pix or on a Sun Java Server? No problem.

SmartFilter very definitely wants to see a firewall as a partner in its operations,
though. There's no stand-alone version here.

There are more details on firewall installations and OEM partners that SmartFilter
supports on the Secure Computing Web site. I chose to download and evaluate
SmartFilter over Internet Security and Acceleration (ISA) Server 2004 -- one
of my mistakes in the evaluation process. Even though I created a valid "Allow
All" firewall policy, try as I might, I could not hit the Internet using
the ISA box as a proxy.

I went through the standard Microsoft TechNet "To fix this problem download
and install ISA 2004 SP1" stuff on the TechNet Web site. This did nothing
to fix the problem. The SmartFilter software itself installed just fine, making
itself an add-in to ISA. The trouble was with ISA.

I was very impressed with the product's download and installation, though I
would have preferred a stand-alone version instead of having to fight ISA. Why
can't someone invent a practical Web-filtering program that doesn't require
the extra time and brain-cycles of a production-class firewall? I don't get
it. Let me make my DHCP configuration option adjustments to point them to the
box, let it use NAT, whatever.

[Click on image for larger view.]

Figure 5.Secure
Computing's SmartFilter runs as a plug-in to Microsoft's Internet Security
and Acceleration Server 2004, but not as a stand-alone filter.

We use the SmartFilter BESS edition -- a Children's Internet Protection Act
(CIPA)-compliant version of SmartFilter specifically developed for schools --
in my school district. The kids were quick to tell me that they could easily
get past BESS, but it turned out that they were using a password which had been
given to them by someone who must have gotten tired of them complaining about
not being able to hit their Gmail and MySpace sites.

[Click on image for larger view.]

Figure 6.Make
sure you have ISA Server running and properly configured before you try
to install SmartFilter to run alongside.

From a cost standpoint, SmartFilter is much more reasonable than Websense or
SurfControl. Also, the customer support from Secure Computing was excellent.
One of the cooler features of filtering products that SmartFilter provides is
to let you grant temporary access so people can bypass filtering while they
quickly view a site.

Parting Notes
These days, creating and updating new URL filter lists on a regular basis is
no longer an effective model. There are just too many Web sites out there and
too many variables to lend serious credibility to that methodology.

What if I forget to download the file? What if my server can't connect to the
Internet at file-retrieval time? What if there are all sorts of different ways
to get at the content without the filter server knowing about it? Where there's
a will -- there's a way. If someone wants to hack the filter badly enough and
has the right technological skills, they're going to get it done.

If you're seriously considering Web-filtering software, recognize that you'll
have to make a big investment in the architecture and be extremely proactive
about testing and reporting workarounds. Ultimately, you'll need to be prepared
to block everyone from the casual Web surfers in marketing to the hard core
propeller-heads in programming.